Finphishing – 8 steps to criminal profits

FinPhishing – or financial spear phishing – is a form of social engineering attack which is becoming massively profitable for the criminal enterprises involved. Unfortunately for the victims it is very cheap to deploy and nearly always gets past technological security controls such as spam filtering and malware detection.

FinPhishing – short and succinct message, simple to generate but potentially deadly to the victim.

As a result of this, businesses across the globe are losing fortunes in fake wire transfers to overseas bank accounts with only limited hope of ever getting their money back.

FinPhishing (under various names) isn’t new – there are reports of Scoular Co.,(a US based private equities trader) losing $17.2m to a FinPhishing attack in June 2014. This has been followed in January by the Internet Crime Complaint Centre reporting that US businesses had lost $214m to scams similar to this in the previous 14 months.

More recently, in early August, Ubiquiti Networks disclosed a loss of US$46m to a FinPhishing scam which was discovered in June.

FinPhishing is big business for criminals.

What is FinPhishing

In summary – financial spear phishing (FinPhishing for ease) is a type of social engineering attack which tricks the victim into making a large sum transfer to a bank account managed by the attackers.

The attacks are all very similar and rely very heavily on corporate culture to work. Unfortunately the tendency of designers to make email user interfaces more “user friendly” actually helps the attacker here.

The FinPhishing Attack

The screenshot accompanying this post shows an initial finphishing email received by a target company. From this we can see the key elements of how the attack is constructed:

Attackers look over public websites for information to identify the business structure. This includes obvious sites such as LinkedIn but also ones people don’t tend to directly post their own data to, such as ZoomInfo.com.

Once they build up your organisation chart, they try to identify a person in a position of authority (CEO, MD etc) and a person working in a finance role. The finance person is now the target of the attack (victim).

The attackers craft an email looking like it has come from the CEO/MD etc., often including the correct email address in the message “From:” field, but it will have a different email in the Reply-To or X-Sender headers.

The message makes a terse request about sending funds for some urgent business activity. The brevity means it bypasses most spam filters and the lack of payload or malicious link allows it to bypass AV or threat monitoring.

The victim reads the email and it looks like it is legitimately from the CEO/MD – unfortunately most email systems only show the From address – so they reply either asking for more details or in some cases starting the process.

Very alert victims may notice the email client now shows a new email address in the “To:” box but this is actually very rare and sophisticated attackers can mask this.

Once the victim responds, the phishers know they have access to a live person who at least partly thinks the request is legitimate and they can begin the second stage of the attack which is an initial transfer of a reasonably small amount of funds (often in the $50 – 100k region).

If this works, the attackers will go all out and generate increasingly urgent, demanding requests to get as much as possible before they are detected.

Security measures

At its core, FinPhishing is just a social engineering attack. This means you need to concentrate on the people involved.

Provide all your workforce security awareness training which emphasises the risks from social engineering attacks.

Ensure anyone working in finance understands what this sort of attack looks like and what to look out for in a phishing email.

If possible configure your mail clients to give as much detail as possible about the message headers.

Establish authorisation processes so that no one can transfer large amounts of money out of your business without solid confirmation – no matter how urgent it may be.

If you are caught by this scam alert your bank and involve the police or law enforcement as quickly as possible. Recovering funds is always going to be difficult, so any delay will just make it worse.

Summary

FinPhishing is cheap, easy and lucrative. This means there is currently little or no incentive for attackers to stop and the low technological requirements mean that even if current attackers are caught and move on, others will fill the gap.

The best, possibly only, defence is to ensure you have robust processes and alert staff. If you do fall victim to an attack, make sure you can react quickly and hopefully you will save your business.